Trojan:Win32/Alureon.DH is a member of Win32/Alureon
- a multi-component family of trojans involved in a broad range of subversive activities online that generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating an affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:
modifying the affected user's search results (search hijacking)
redirecting the affected user's browsing to sites of the attacker's choice (browser hijacking)
hanging DNS settings to redirect users to sites of the attacker's choice without the affected user's knowledge
downloading and executing arbitrary files, including additional components and other malware
serving illegitimate advertising
installing rogue security software
Win32/Alureon also uses advanced stealth techniques to hinder the detection and removal of its various components.
Some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.
Trojan:Win32/Alureon.DH is used to download and install other malware.
Trojan:Win32/Alureon.DH may be present as a semi-randomly named file in the Windows system folder in the following format:
<system folder>\h8srt<randomchars>.dll - for example, "h8srtejsuwmelgm.dll"
The trojan checks if it is loaded/injected by the following Web browser and Windows processes, if not it exits:
If it was loaded by "svchost.exe" then it might create the following mutex:
Additionally, the trojan may create a registry subkey named "HKLM\Software\H8SRT".
Display pop-up advertisements
Trojan:Win32/Alureon.DH may display unrequested pop-up advertisements while browsing the Internet.
Downloads arbitrary files
The trojan may contact various domains in an attempt to download additional malware. This trojan was observed connecting with the domain "hardlyfind.com".
Blocks certain Web sites
Trojann:Win32/Alureon.DH hooks the following Windows APIs to assist in blocking certain Web sites:
The following list contains names of help-related sites that are blocked by the trojan:
Additionally, this trojan uses an encrypted configuration data file to manipulate the Web browser. The data file is semi-randomly named such as the following example:
Analysis by Andrei Florin Saygo